source: mod_gnutls/include/mod_gnutls.h.in @ 5ab2868

asynciodebian/masterproxy-ticket
Last change on this file since 5ab2868 was 5ab2868, checked in by Fiona Klute <fiona.klute@…>, 3 years ago

Remove unused server variable

The mgs_srvconf_rec.non_ssl_request variable was never read and only
set when receiving a non-TLS request.

  • Property mode set to 100644
File size: 14.2 KB
Line 
1/*
2 *  Copyright 2004-2005 Paul Querna
3 *  Copyright 2014 Nikos Mavrogiannopoulos
4 *  Copyright 2015-2018 Fiona Klute
5 *
6 *  Licensed under the Apache License, Version 2.0 (the "License");
7 *  you may not use this file except in compliance with the License.
8 *  You may obtain a copy of the License at
9 *
10 *      http://www.apache.org/licenses/LICENSE-2.0
11 *
12 *  Unless required by applicable law or agreed to in writing, software
13 *  distributed under the License is distributed on an "AS IS" BASIS,
14 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 *  See the License for the specific language governing permissions and
16 *  limitations under the License.
17 */
18
19/* Apache Runtime Headers */
20#include "httpd.h"
21#include "http_config.h"
22#include "http_protocol.h"
23#include "http_connection.h"
24#include "http_request.h"
25#include "http_core.h"
26#include "http_log.h"
27#include "apr_buckets.h"
28#include "apr_strings.h"
29#include "apr_tables.h"
30#include "ap_release.h"
31#include "apr_fnmatch.h"
32/* GnuTLS Library Headers */
33#include <gnutls/gnutls.h>
34#include <gnutls/abstract.h>
35#include <gnutls/x509.h>
36
37#ifndef __mod_gnutls_h_inc
38#define __mod_gnutls_h_inc
39
40extern module AP_MODULE_DECLARE_DATA gnutls_module;
41
42/* IO Filter names */
43#define GNUTLS_OUTPUT_FILTER_NAME "gnutls_output_filter"
44#define GNUTLS_INPUT_FILTER_NAME "gnutls_input_filter"
45/* GnuTLS Constants */
46#define GNUTLS_ENABLED_FALSE 0
47#define GNUTLS_ENABLED_TRUE  1
48#define GNUTLS_ENABLED_UNSET  2
49/* Current module version */
50#define MOD_GNUTLS_VERSION "@MOD_GNUTLS_VERSION@"
51
52/* Module Debug Mode */
53#define MOD_GNUTLS_DEBUG @OOO_MAINTAIN@
54
55/** Name of the module-wide singleton watchdog */
56#define MGS_SINGLETON_WATCHDOG "_mod_gnutls_singleton_"
57
58
59/* Internal cache data, defined in gnutls_cache.h */
60typedef struct mgs_cache* mgs_cache_t;
61
62typedef enum {
63    mgs_cvm_unset,
64    mgs_cvm_cartel,
65    mgs_cvm_msva
66} mgs_client_verification_method_e;
67
68
69/* Directory Configuration Record */
70typedef struct {
71    int client_verify_mode;
72} mgs_dirconf_rec;
73
74
75/* Internal per-vhost config for OCSP, defined in gnutls_ocsp.h */
76typedef struct mgs_ocsp_data* mgs_ocsp_data_t;
77
78
79/* The maximum number of certificates to send in a chain */
80#define MAX_CHAIN_SIZE 8
81/* The maximum number of SANs to read from a x509 certificate */
82#define MAX_CERT_SAN 5
83
84/** Server Configuration Record */
85typedef struct {
86    /* --- Configuration values --- */
87        /* Is the module enabled? */
88    int enabled;
89        /* Is mod_proxy enabled? */
90    int proxy_enabled;
91
92    /* List of PKCS #11 provider modules to load, only valid in the
93     * base config, ignored in virtual hosts */
94    apr_array_header_t *p11_modules;
95
96    /* PIN used for PKCS #11 operations */
97    char *pin;
98
99    /* the SRK PIN used in TPM operations */
100    char *srk_pin;
101
102    char *x509_cert_file;
103    char *x509_key_file;
104    char *x509_ca_file;
105
106    char *dh_file;
107
108    char *priorities_str;
109    char *proxy_priorities_str;
110
111    const char* srp_tpasswd_file;
112    const char* srp_tpasswd_conf_file;
113
114        /* Cache timeout value */
115    int cache_timeout;
116        /* Chose Cache Type */
117    const char* cache_type;
118    /* Enable cache */
119    unsigned char cache_enable : 2;
120    const char* cache_config;
121    /* Internal cache data */
122    mgs_cache_t cache;
123
124        /* GnuTLS uses Session Tickets */
125    int tickets;
126
127    /* x509 Certificate Structure */
128    gnutls_certificate_credentials_t certs;
129    /* x509 credentials for proxy connections */
130    gnutls_certificate_credentials_t proxy_x509_creds;
131    /* trust list for proxy_x509_creds */
132    gnutls_x509_trust_list_t proxy_x509_tl;
133    const char* proxy_x509_key_file;
134    const char* proxy_x509_cert_file;
135    const char* proxy_x509_ca_file;
136    const char* proxy_x509_crl_file;
137    /* GnuTLS priorities for proxy connections */
138    gnutls_priority_t proxy_priorities;
139    /* SRP Certificate Structure*/
140    gnutls_srp_server_credentials_t srp_creds;
141    /* Anonymous Certificate Structure */
142    gnutls_anon_server_credentials_t anon_creds;
143    /* Anonymous Client Certificate Structure, used for proxy
144     * connections */
145    gnutls_anon_client_credentials_t anon_client_creds;
146        /* Current x509 Certificate CN [Common Name] */
147    char* cert_cn;
148        /* Current x509 Certificate SAN [Subject Alternate Name]s*/
149    char* cert_san[MAX_CERT_SAN];
150        /* An x509 Certificate Chain */
151    gnutls_pcert_st *certs_x509_chain;
152    gnutls_x509_crt_t *certs_x509_crt_chain;
153        /* Number of Certificates in Chain */
154    unsigned int certs_x509_chain_num;
155
156        /* Current x509 Certificate Private Key */
157    gnutls_privkey_t privkey_x509;
158
159    /* Export full certificates to CGI environment: */
160    int export_certificates_size;
161        /* GnuTLS Priorities */
162    gnutls_priority_t priorities;
163        /* GnuTLS DH Parameters */
164    gnutls_dh_params_t dh_params;
165        /* A list of CA Certificates */
166    gnutls_x509_crt_t *ca_list;
167        /* CA Certificate list size */
168    unsigned int ca_list_size;
169        /* Client Certificate Verification Mode */
170    int client_verify_mode;
171        /* Client Certificate Verification Method */
172    mgs_client_verification_method_e client_verify_method;
173
174    /* Enable OCSP stapling */
175    unsigned char ocsp_staple;
176    /* Automatically refresh cached OCSP response? */
177    unsigned char ocsp_auto_refresh;
178    /* Check nonce in OCSP responses? */
179    unsigned char ocsp_check_nonce;
180    /* Read OCSP response for stapling from this file instead of
181     * sending a request over HTTP */
182    char *ocsp_response_file;
183    /* Internal OCSP data for this server */
184    mgs_ocsp_data_t ocsp;
185    /* Mutex to prevent parallel OCSP requests */
186    apr_global_mutex_t *ocsp_mutex;
187    /* Cache timeout for OCSP responses. Note that the nextUpdate
188     * field of the response takes precedence if shorter. */
189    apr_interval_time_t ocsp_cache_time;
190    /* If an OCSP request fails wait this long before trying again. */
191    apr_interval_time_t ocsp_failure_timeout;
192    /** How long before a cached OCSP response expires should it be
193     * updated? During configuration parsing this is set to the
194     * maximum, during post configuration the value will be set to
195     * half that. After each update the interval to for the next one
196     * is choosen randomly as `ocsp_fuzz_time + ocsp_fuzz_time *
197     * RANDOM` with `0 <= RANDOM <= 1`. */
198    apr_interval_time_t ocsp_fuzz_time;
199    /* Socket timeout for OCSP requests */
200    apr_interval_time_t ocsp_socket_timeout;
201
202    /** This module's singleton watchdog, used for async OCSP cache
203     * updates. */
204    struct mgs_watchdog *singleton_wd;
205} mgs_srvconf_rec;
206
207/* Character Buffer */
208typedef struct {
209    int length;
210    char *value;
211} mgs_char_buffer_t;
212
213/* GnuTLS Handle */
214typedef struct {
215        /* Server configuration record */
216    mgs_srvconf_rec *sc;
217        /* Connection record */
218    conn_rec* c;
219        /* Is TLS enabled for this connection? */
220    int enabled;
221    /* Is this a proxy connection? */
222    int is_proxy;
223        /* GnuTLS Session handle */
224    gnutls_session_t session;
225        /* module input status */
226    apr_status_t input_rc;
227        /* Input filter */
228    ap_filter_t *input_filter;
229        /* Input Bucket Brigade */
230    apr_bucket_brigade *input_bb;
231        /* Input Read Type */
232    apr_read_type_e input_block;
233        /* Input Mode */
234    ap_input_mode_t input_mode;
235        /* Input Character Buffer */
236    mgs_char_buffer_t input_cbuf;
237        /* Input Character Array */
238    char input_buffer[AP_IOBUFSIZE];
239        /* module Output status */
240    apr_status_t output_rc;
241        /* Output filter */
242    ap_filter_t *output_filter;
243        /* Output Bucket Brigade */
244    apr_bucket_brigade *output_bb;
245        /* Output character array */
246    char output_buffer[AP_IOBUFSIZE];
247        /* Output buffer length */
248    apr_size_t output_blen;
249        /* Output length */
250    apr_size_t output_length;
251        /* General Status */
252    int status;
253} mgs_handle_t;
254
255
256
257/** Functions in gnutls_io.c **/
258
259/* apr_signal_block() for blocking SIGPIPE */
260apr_status_t apr_signal_block(int signum);
261
262/* Proxy Support */
263/** mod_proxy adds a note with this key to the connection->notes table
264 * for client connections */
265#define PROXY_SNI_NOTE "proxy-request-hostname"
266/* An optional function which returns non-zero if the given connection
267is using SSL/TLS. */
268APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
269/* The ssl_var_lookup() optional function retrieves SSL environment
270 * variables. */
271APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,
272                        (apr_pool_t *, server_rec *,
273                         conn_rec *, request_rec *,
274                         char *));
275/* The ssl_proxy_enable() and ssl_engine_disable() optional functions
276 * are used by mod_proxy to enable use of SSL for outgoing
277 * connections. */
278APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
279APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
280APR_DECLARE_OPTIONAL_FN(int, ssl_engine_set, (conn_rec *,
281                                              ap_conf_vector_t *,
282                                              int proxy, int enable));
283mgs_handle_t* get_effective_gnutls_ctxt(conn_rec *c);
284int ssl_is_https(conn_rec *c);
285char* ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c,
286                     request_rec *r, char *var);
287int ssl_proxy_enable(conn_rec *c);
288int ssl_engine_disable(conn_rec *c);
289const char *mgs_set_proxy_engine(cmd_parms * parms, void *dummy,
290                                 const int arg);
291apr_status_t mgs_cleanup_pre_config(void *data);
292
293/**
294 * mgs_filter_input will filter the input data
295 * by decrypting it using GnuTLS and passes it cleartext.
296 *
297 * @param f     the filter info record
298 * @param bb    the bucket brigade, where to store the result to
299 * @param mode  what shall we read?
300 * @param block a block index we shall read from?
301 * @return result status
302 */
303apr_status_t mgs_filter_input(ap_filter_t * f,
304                                     apr_bucket_brigade * bb,
305                                     ap_input_mode_t mode,
306                                     apr_read_type_e block,
307                                     apr_off_t readbytes);
308
309/**
310 * mgs_filter_output will filter the encrypt
311 * the incoming bucket using GnuTLS and passes it onto the next filter.
312 *
313 * @param f     the filter info record
314 * @param bb    the bucket brigade, where to store the result to
315 * @return result status
316 */
317apr_status_t mgs_filter_output(ap_filter_t * f,
318                                      apr_bucket_brigade * bb);
319
320
321/**
322 * mgs_transport_read is called from GnuTLS to provide encrypted
323 * data from the client.
324 *
325 * @param ptr     pointer to the filter context
326 * @param buffer  place to put data
327 * @param len     maximum size
328 * @return size   length of the data stored in buffer
329 */
330ssize_t mgs_transport_read(gnutls_transport_ptr_t ptr,
331                                  void *buffer, size_t len);
332
333/**
334 * mgs_transport_write is called from GnuTLS to
335 * write data to the client.
336 *
337 * @param ptr     pointer to the filter context
338 * @param buffer  buffer to write to the client
339 * @param len     size of the buffer
340 * @return size   length of the data written
341 */
342ssize_t mgs_transport_write(gnutls_transport_ptr_t ptr,
343                                   const void *buffer, size_t len);
344
345
346int mgs_rehandshake(mgs_handle_t * ctxt);
347
348
349
350/**
351 * Perform any reinitialization required in PKCS #11
352 */
353int mgs_pkcs11_reinit(server_rec * s);
354
355
356
357/* Configuration Functions */
358
359/* Loads all files set in the configuration */
360int mgs_load_files(apr_pool_t *pconf, apr_pool_t *ptemp, server_rec *s)
361    __attribute__((nonnull));
362
363const char *mgs_set_srp_tpasswd_conf_file(cmd_parms * parms, void *dummy,
364                                        const char *arg);
365const char *mgs_set_srp_tpasswd_file(cmd_parms * parms, void *dummy,
366                                        const char *arg);
367const char *mgs_set_dh_file(cmd_parms * parms, void *dummy,
368                                        const char *arg);
369const char *mgs_set_cert_file(cmd_parms * parms, void *dummy,
370                                        const char *arg);
371
372const char *mgs_set_key_file(cmd_parms * parms, void *dummy,
373                             const char *arg);
374
375const char *mgs_set_timeout(cmd_parms *parms, void *dummy, const char *arg);
376
377const char *mgs_set_client_verify(cmd_parms * parms, void *dummy,
378                                  const char *arg);
379
380const char *mgs_set_client_verify_method(cmd_parms * parms, void *dummy,
381                                         const char *arg);
382
383const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy,
384                                   const char *arg);
385
386const char *mgs_set_p11_module(cmd_parms * parms, void *dummy,
387                               const char *arg);
388
389const char *mgs_set_pin(cmd_parms * parms, void *dummy,
390                                   const char *arg);
391
392const char *mgs_set_srk_pin(cmd_parms * parms, void *dummy,
393                                   const char *arg);
394
395const char *mgs_set_enabled(cmd_parms * parms, void *dummy,
396                            const int arg);
397const char *mgs_set_export_certificates_size(cmd_parms * parms, void *dummy,
398                            const char *arg);
399const char *mgs_set_priorities(cmd_parms * parms, void *dummy,
400                            const char *arg);
401const char *mgs_set_tickets(cmd_parms * parms, void *dummy,
402                            const int arg);
403
404void *mgs_config_server_create(apr_pool_t * p, server_rec * s);
405void *mgs_config_server_merge(apr_pool_t *p, void *BASE, void *ADD);
406
407void *mgs_config_dir_merge(apr_pool_t *p, void *basev, void *addv);
408
409void *mgs_config_dir_create(apr_pool_t *p, char *dir);
410
411mgs_srvconf_rec* mgs_find_sni_server(gnutls_session_t session);
412
413const char *mgs_store_cred_path(cmd_parms * parms,
414                                void *dummy __attribute__((unused)),
415                                const char *arg);
416
417/* mod_gnutls Hooks. */
418
419int mgs_hook_pre_config(apr_pool_t * pconf,
420                        apr_pool_t * plog, apr_pool_t * ptemp);
421
422int mgs_hook_post_config(apr_pool_t *pconf,
423                         apr_pool_t *plog,
424                         apr_pool_t *ptemp,
425                         server_rec *base_server);
426
427void mgs_hook_child_init(apr_pool_t *p, server_rec *s);
428
429const char *mgs_hook_http_scheme(const request_rec * r);
430
431apr_port_t mgs_hook_default_port(const request_rec * r);
432
433int mgs_hook_pre_connection(conn_rec * c, void *csd);
434
435int mgs_hook_process_connection(conn_rec* c);
436
437int mgs_hook_fixups(request_rec *r);
438
439int mgs_hook_authz(request_rec *r);
440
441#endif /*  __mod_gnutls_h_inc */
Note: See TracBrowser for help on using the repository browser.